Xerox Privacy Notice: Rights of data subjects pursuant to the General Data Protection Regulation

Transcription

1 Xerox Privacy Notice: Rights of data subjects pursuant to the General Data Protection Regulation EU Regulation 2016/679 (known as the General Data Protection Regulation, hereinafter referred to as GDPR ) will apply throughout the EU (having commenced on 25 May 2018). This regulation serves as the basis for standardised European data protection law. GDPR particularly obliges each relevant Xerox entity (hereinafter referred to, either individually or collectively, as Xerox ) as an EU personal data processor to ensure data subjects whose personal data are processed by it are informed of the collection, processing and use of that personal data and to notify them of their rights under GDPR. The following information therefore describes the processing of your personal data by Xerox and your rights pursuant to GDPR. The precise data that are processed and the methods that may be used are primarily determined based on the particular services or products requested and/or agreed upon. References to Partner in this notice mean a Xerox partner to whom Xerox supplies products and services and/or from whom that Partner s customer is supplied with Xerox products and/or services. Controller in the sense of the GDPR The controller for data collection, depending on which Xerox entity is processing personal data, is one or more of: Xerox Finance Limited, address; Waterside, Oxford Road, Uxbridge, Middlesex, UB8 1HS, Xerox (UK) Limited, address; Waterside, Oxford Road, Uxbridge, Middlesex, UB8 1HS or Xerox Limited, address; Riverview, Oxford Road, Uxbridge, Middlesex, UB8 1HS Purpose of processing and legal basis for processing Xerox processes personal data in accordance with the provisions of the GDPR (and/or any other local laws implementing GDPR or otherwise governing data protection in the UK): As part of the performance of an existing contract between Xerox and you or in order to take steps at the request of a customer or Partner prior to entering into a contract with Xerox (Article 6 (1b) GDPR). Here, the purposes of the data processing are primarily determined by the particular product, service or offering. You can find additional details on the purpose of data processing in the product, service or offering related documents and the corresponding terms and conditions issued by Xerox. However a non-exhaustive list is as follows; (i) (ii) (iii) provide customer support; create reseller partnerships, and deliver the specific products and services requested by you Based on your consent (Article 6 (1a) GDPR). In the event you have granted Xerox consent to process personal data for specific purposes (e.g. for administering a Xerox Partner programme), this processing is lawful based on your consent.

2 Consent that has been granted may be withdrawn at any time and via the media through which it was obtained. Based on legal requirements Xerox is obliged to comply with (Article 6 (1c) GDPR) or in the public interest (Article 6 (1e) GDPR). Examples include: o General legal, accounting, tax and regulatory reporting requirements o Supply chain auditing o Anti-money laundering obligations o Prevention of fraud In the context of legitimate interests (Article 6 (1f) GDPR). Where required, Xerox processes your data in order to pursue our legitimate interests or those of third parties. Examples are: o Product and services marketing and advertisement, subject to further applicable rules o Delivering the specific products and services contracted for o Preventing criminal offences o Ensuring IT security o Asserting legal rights and defence in the event of legal disputes o Customer Relationship Management Source of data and category of data Xerox processes personal data that Xerox obtains from you in the context of our business relationship. To the extent required to provide Xerox products and services, Xerox also processes personal data that Xerox has obtained lawfully (e.g. for the performance of orders, for the fulfilment of contracts or based on consent granted by you) from other companies within the Xerox Corporation. Moreover, Xerox processes personal data that Xerox has lawfully acquired from publicly accessible sources (e.g. commercial registers, registers of associations, credit agencies press, media, websites) and that Xerox is permitted to process. Depending on the product / services Xerox provides to you, the following categories of data might be collected in relation to our provision of maintenance services, managed print services, sales of equipment, supplies and spare parts, IT solutions: Name, function, employer, postal address/ address, phone number, contract data, IP address. Recipients of personal data Within Xerox we essentially share your personal data with those who need to have access to it or use it, usually as necessary to complete any transaction or provide any product you have requested or authorised. We may also share it with those who wish to use it, in accordance with the law, to undertake marketing, provide rewards schemes or conduct customer surveys for example. In addition, and for the same purposes, we share personal data among Xeroxcontrolled affiliates and subsidiaries Transfer of personal data to recipients outside Xerox: We share your personal data with third parties when you tell us to do so. For example, when you provide payment data to make a purchase, we will share payment data with banks and other entities that process payment transactions or provide other financial services, and for fraud prevention and credit risk reduction. We also share personal data with vendors, sub-contractors or agents working on our behalf for the purposes described above. For example, companies we've hired to provide

3 customer service support or assist in maintaining and servicing products via our systems and services may need access to personal data to provide those functions. Transfer of personal data to a third country or an international organisation Xerox transfers personal data to third countries which means to countries located outside the EU or the EEA, only as part of data processing either under a contract, if you have granted Xerox your consent, or as prescribed by law. For example, some of our back office customer operations leasing activities are processed outside of Europe. If suppliers in a third country are used, they must be bound to comply with the level of data protection in Europe through: acknowledgement and acceptance of the EU standard contractual clauses in addition to instructions in writing or EU-US Privacy Shield certification provided the supplier is located in the USA Any adequacy decision, or on the basis that other adequate safeguards are in place, in each case pursuant to Chapter V of GDPR. Duration of data storage Xerox processes and stores personal data as long as it is required to provide our products and services and to fulfil our contractual and legal obligations. The latter may include resolving disputes and enforcing our agreements. However, ordinarily, if the personal data are no longer required for such purposes Xerox will erase the personal data, unless processing and storage of the personal data is required for the following and similar purposes: Anti-money laundering, anti-bribery, currency reporting and record keeping requirements Regulatory and reporting compliance Prudent management of business risk having regard to contractual and other legal limitation periods As a result, actual retention periods can vary. Statutory or contractual requirement for the provision of personal data You are obliged to provide such personal information to Xerox as may be required to enable us to enter into a contract, fulfil our contractual obligations, or to comply with applicable legal requirements. Without this personal data Xerox may not be able to enter into a contract for products and services with you or may not be able to fulfil its contractual obligations under an existing contract. For example, we may need contact names for the addressing of invoices or for the delivery of parts and consumables.

4 Automated Decision-making and profiling Xerox does not use usually use automated decision-making and profiling according to Article 22 GDPR. However there are some exceptions to this, the main one being in respect of our leasing finance business where for example we use directors /senior employees personal data and personal data of smaller business owners and operators. That data is usually provided to be used by third parties such as credit reference agencies where an application for customer credit is received via a Partner. Automated decisions may be made as result, such as whether to extend credit and whether to trace defaulters and assets. These decisions may affect the individuals whose personal data is used, usually in a business context but possibly in a personal context too. However, we consider that this is standard and fair business practice. Right of access, Article 15 GDPR You have the right to request information as to whether and to what extent Xerox processes your personal data. This right includes the right to information on; the purposes of the processing; the categories of personal data (type of data) processed; the recipients or categories of recipients to whom the data have been or will be disclosed, particularly if data have been or will be disclosed to recipients in third countries; where possible, the envisaged period for which your data will be stored, but at least the criteria used to determine the period stored for; the source of the data if personal data was not collected directly from you. Where personal data are transferred to a third country, you have the right to be informed of the safeguards we take, whereby an appropriate level of protection is ensured on the part of the data recipient in the third country. Right to rectification, Article 16 GDPR You have the right to request the rectification of your data stored by Xerox if they are incorrect or incomplete. This includes the right to have incomplete personal data completed by means of supplementary statements or notices. Right to erasure, Article 17 GDPR You have the right (subject to certain conditions in GDPR) to request the erasure of your personal data (the right to be forgotten ) if; the personal data are no longer necessary in relation to the purposes for which they were collected and processed; the data processing is occurring based on consent granted by you and you have withdrawn your consent, provided there are no other legal grounds for the data processing;

5 you have objected to data processing pursuant to Article 21 GDPR and there are no overriding legitimate grounds for further processing; your personal data have been unlawfully processed; the personal data have to be erased for compliance with a legal obligation in the Union or Member State law. Right to restriction of processing, Article 18 GDPR You have the right to have the processing of your personal data restricted. This right exists in the following cases: If you have contested the accuracy of your personal data, you may also request that for a period enabling Xerox to verify the accuracy your data not be used for purposes other than the verification of accuracy; If the processing of your personal data is unlawful, you may request restriction of the use of personal data instead of the erasure of that data; If Xerox has stored personal data that are no longer needed by Xerox but are required by you for the establishment, exercise or defence of legal claims, you can request restriction of the processing as an alternative to erasure of the data; If you have, under GDPR, objected to certain data processing and it has not yet been verified whether Xerox s interests in processing override your interests, you can request restriction of the processing for the review period. Right to data portability, Article 20 GDPR You have the right to request that the personal data concerning you be disclosed to you or to a representative designated by you in a commonly used electronic, machine-readable data format. This right only exists for personal data provided by you for processing based on consent or for the performance of a contract and by automated means. The right to data portability is subject to the condition that rights and freedoms of others are not adversely affected by the transmission of data. Right to object, Article 21 GDPR Where the processing has been carried out on the basis that it is for the public interest or for us to pursue our legitimate interests, you have the right to object at any time to the processing of that personal data, on the basis of your particular circumstances. In the event of objection, Xerox will determine whether there are still compelling grounds for the processing of your data and, if applicable, will refrain from further processing of your data. Right to lodge a complaint with the competent supervisory authority, Article 77 GDPR You have the right to contact the competent supervisory authority of the Union or Member State regarding any infringement of data protection regulations. The following supervisory authority is responsible for Xerox in the UK: Information Commissioners Office Wycliffe House Water lane Wilmslow Cheshire, SK9 5AF

6 Exercise of the rights of data subjects Please contact the company at; Any of the addresses shown above. Or via at in order to exercise any personal data-related rights regarding Xerox in relation to data processing procedures. Requests submitted electronically by you to the company data protection officer are generally answered electronically by Xerox, provided that you have not stipulated otherwise in your request. The information, notices and measures to be provided by Xerox pursuant to GDPR are generally furnished free of charge, including the exercise of the rights of data subjects. Only in the event of blatantly unjustified or excessive requests is Xerox entitled to collect suitable compensation for processing or to refrain from action. Requests for access and information are generally processed promptly certainly within a month of receipt of the request. This period may be extended another two months if required in consideration of the complexity and/or number of the requests; in the event that the period is extended, Xerox will inform you within a month of the receipt of your request and indicate the reasons for the delay. If Xerox does act on a request, you will be promptly notified of this within one month of when your request is received with indication of the reasons for this, and you will also be informed of the option of submitting a complaint to a supervisory authority or of seeking judicial remedy. Further information If you would like further information about the personal data Xerox collects and processes please see our online privacy statement which can be found at